NETGEAR Nighthawk WiFi6 Router Multiple Vulnerabilities

CVE-2022-47208 : Command Injection in User Agent
The “puhttpsniff” service, which runs by default, is susceptible to command injection due to improperly sanitized user input. An unauthenticated attacker on the same network segment as the router can execute arbitrary commands on the device without authentication.

CVSSv3 - 9.6 - AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2022-47209 : Hardcoded Credentials / Backdoor Account
There are four user accounts on the device by default. The accounts and associated hashes stored in “/etc/passwd” are as follows:

admin:$1$redacted:0:0:Administrator:/:/bin/sh
support:$1$QkcawmV.$VU4maCah6eHihce5l4YCP0:0:0:Technical Support:/:/bin/sh
user:$1$9RZrTDt7$UAaEbCkq.Qa4u0QwXpzln/:0:0:Normal User:/:/bin/sh
nobody:$1$OWpQjger$j7CFLUn8yoD8agVf6x5gA0:0:0:nobody for ftp:/:/bin/sh

“admin” is the user normally intended to be interacted with. This user is used by the web interface and any other services a user typically interacts with.

The “support” user, however, appears to be an account created as a sort of backdoor for Technical Support staff. The default password for this account is “support” and cannot be changed by a user via any normally accessible means.

Please note that this account does not have access to the web ui or other standard interfaces. The patch for this issue appears to prevent access to this account from all currently known vectors.

CVSSv3 - 6.3 - AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2022-47210 : Command Injection in Restricted Shell
The default console presented to users over telnet (when enabled) is restricted to a subset of commands. Commands issued at this console, however, appear to be fed directly into a system call or other similar function. This allows any authenticated user to execute arbitrary commands on the device.

CVSSv3 - 8.8 - AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H